PT-2026-52522 · Pnpm · Pnpm
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-55697
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/-/pacquet binary from node modules/.pnpm-config/ and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pnpm